From eb8c1206d6b170d4e798a00db7432e023853da5c Mon Sep 17 00:00:00 2001 From: wiredfool Date: Sun, 1 Nov 2020 14:16:38 +0000 Subject: [PATCH 1/2] Fix CVE-2020-35654 - OOB Write in TiffDecode.c * In some circumstances with some versions of libtiff (4.1.0+), there could be a 4 byte out of bound write when decoding a YCbCr tiff. * The Pillow code dates to 6.0.0 * Found and reported through Tidelift --- Tests/images/crash-2020-10-test.tif | Bin 0 -> 4883 bytes Tests/test_tiff_crashes.py | 7 +- src/libImaging/TiffDecode.c | 266 ++++++++++++++++++---------- 3 files changed, 175 insertions(+), 98 deletions(-) create mode 100644 Tests/images/crash-2020-10-test.tif diff --git a/Tests/images/crash-2020-10-test.tif b/Tests/images/crash-2020-10-test.tif new file mode 100644 index 0000000000000000000000000000000000000000..958cdde22098ae65a82e671407f170ef75e34a1f GIT binary patch literal 4883 zcmeHKU2GIp6h3!$x-M;jwk&O|O9s$m#tJfoVVWf+wliKAaz3DL z^_15Db50FKdLu|=+eD)S*U4kH2@kKzBiEbDVY2P(T}rDm(pq^aZUOgY%L$s%t+xf8m2zOyS;uA{V(FvKrE?EgNalcZzcY)9bytoJ zL*L#Gu^aX&n|bvbVAJ2XF92MJ>z>CLE9sI_DXqA}q23?$_(NyK8zIyWTY+qZJuC5kSJzke zq;3B(d7BF(h}hV1>BoZ~*!eOV6PDv2?V#yCQg|fgvFqrT!{v4zlL@OdQbSWD8jr^x zT$^ZXwKiF?&=rcyRG5{HgQD8B>jTG=#}6G% z9c-)b*n4D8f1u~F#{->5hWZ07p_b-nBN5A}^q7>cigc`4^~Ccf^?k2h@NeGp(M|g* zdFC58)Pu6Q8GIZmZZ4Q(m<=HVrUL$LHDVJhG$_AH1%C~{U{Wcj30$*EYHY5tAZC?g zKCT{}c1wv|Whu5`U1mE?tDo5lrMLEUZ8Hk(#7|JoTtZjC(GE7ZX5CsMo-MnB;$DNq z1?J+O#LUg%-BAw(Fqh)p3#dogkHq#0<2>jb4_5sWOw#dSe%*ON z4$*Sqm0Qqz$t#<0c@Wm)Id2;QnpsXXW;f$J4M z0UT8LQ{dGS8&uUqv^G;B9kdI0ox(%Fjo@KNy#l-*bjE4mCWTJ{hZKGbI1C-iz;g~b z0ynLeZn>67Vm;+!Q|n z{#D^GfPV+(L)tj--ORMJ@)_f95cD5G_h%iaRN$l*1lBop59jOudb@ySy4SdOYd+}c z+}<$)L%BJ~j|mPSccm&)r$KHMJ)MIC-Kn7gaN(TzWZy7a?!wNJ{5E*`Dr_f`Hgm}v zyrjdnO_<<5Kzu^63Lz-RLr2u?QMdPgz%W4W(k*F1pYz#+Rnxn1B$cALRC7?$A zBc*{&Lwlb~c5m4hIDTjlUs1SgtKXkW9ZiPA!^6X&;i#n>G#AK>@55rL?JRg9QmxRD Yp?%?KB9RD3tgvM@W8LOsFC^Oj1mik+wEzGB literal 0 HcmV?d00001 diff --git a/Tests/test_tiff_crashes.py b/Tests/test_tiff_crashes.py index 9c293e01425..d0de4b305d7 100644 --- a/Tests/test_tiff_crashes.py +++ b/Tests/test_tiff_crashes.py @@ -19,7 +19,12 @@ @pytest.mark.parametrize( - "test_file", ["Tests/images/crash_1.tif", "Tests/images/crash_2.tif"] + "test_file", + [ + "Tests/images/crash_1.tif", + "Tests/images/crash_2.tif", + "Tests/images/crash-2020-10-test.tif", + ], ) @pytest.mark.filterwarnings("ignore:Possibly corrupt EXIF data") @pytest.mark.filterwarnings("ignore:Metadata warning") diff --git a/src/libImaging/TiffDecode.c b/src/libImaging/TiffDecode.c index d86a42915b7..2684b9e28bd 100644 --- a/src/libImaging/TiffDecode.c +++ b/src/libImaging/TiffDecode.c @@ -238,54 +238,181 @@ int ReadTile(TIFF* tiff, UINT32 col, UINT32 row, UINT32* buffer) { return 0; } -int ReadStrip(TIFF* tiff, UINT32 row, UINT32* buffer) { - uint16 photometric = 0; // init to not PHOTOMETRIC_YCBCR - TIFFGetField(tiff, TIFFTAG_PHOTOMETRIC, &photometric); - +int _decodeStripYCbCr(Imaging im, ImagingCodecState state, TIFF *tiff) { // To avoid dealing with YCbCr subsampling, let libtiff handle it - if (photometric == PHOTOMETRIC_YCBCR) { - TIFFRGBAImage img; - char emsg[1024] = ""; - UINT32 rows_per_strip, rows_to_read; - int ok; + // Use a TIFFRGBAImage wrapping the tiff image, and let libtiff handle + // all of the conversion. Metadata read from the TIFFRGBAImage could + // be different from the metadata that the base tiff returns. + + INT32 strip_row; + UINT8 *new_data; + UINT32 rows_per_strip, row_byte_size, rows_to_read; + int ret; + TIFFRGBAImage img; + char emsg[1024] = ""; + int ok; + + ret = TIFFGetFieldDefaulted(tiff, TIFFTAG_ROWSPERSTRIP, &rows_per_strip); + if (ret != 1) { + rows_per_strip = state->ysize; + } + TRACE(("RowsPerStrip: %u \n", rows_per_strip)); + + if (!(TIFFRGBAImageOK(tiff, emsg) && TIFFRGBAImageBegin(&img, tiff, 0, emsg))) { + TRACE(("Decode error, msg: %s", emsg)); + state->errcode = IMAGING_CODEC_BROKEN; + TIFFClose(tiff); + return -1; + } + img.req_orientation = ORIENTATION_TOPLEFT; + img.col_offset = 0; - TIFFGetFieldDefaulted(tiff, TIFFTAG_ROWSPERSTRIP, &rows_per_strip); - if ((row % rows_per_strip) != 0) { - TRACE(("Row passed to ReadStrip() must be first in a strip.")); - return -1; - } + if (state->xsize != img.width || state->ysize != img.height) { + TRACE(("Inconsistent Image Error: %d =? %d, %d =? %d", + state->xsize, img.width, state->ysize, img.height)); + state->errcode = IMAGING_CODEC_BROKEN; + TIFFRGBAImageEnd(&img); + TIFFClose(tiff); + return -1; + } + + /* overflow check for row byte size */ + if (INT_MAX / 4 < img.width) { + state->errcode = IMAGING_CODEC_MEMORY; + TIFFRGBAImageEnd(&img); + TIFFClose(tiff); + return -1; + } + + // TiffRGBAImages are 32bits/pixel. + row_byte_size = img.width * 4; + + /* overflow check for realloc */ + if (INT_MAX / row_byte_size < rows_per_strip) { + state->errcode = IMAGING_CODEC_MEMORY; + TIFFRGBAImageEnd(&img); + TIFFClose(tiff); + return -1; + } - if (TIFFRGBAImageOK(tiff, emsg) && TIFFRGBAImageBegin(&img, tiff, 0, emsg)) { - TRACE(("Initialized RGBAImage\n")); + state->bytes = rows_per_strip * row_byte_size; - img.req_orientation = ORIENTATION_TOPLEFT; - img.row_offset = row; - img.col_offset = 0; + TRACE(("StripSize: %d \n", state->bytes)); - rows_to_read = min(rows_per_strip, img.height - row); + /* realloc to fit whole strip */ + /* malloc check above */ + new_data = realloc (state->buffer, state->bytes); + if (!new_data) { + state->errcode = IMAGING_CODEC_MEMORY; + TIFFRGBAImageEnd(&img); + TIFFClose(tiff); + return -1; + } + + state->buffer = new_data; - TRACE(("rows to read: %d\n", rows_to_read)); - ok = TIFFRGBAImageGet(&img, buffer, img.width, rows_to_read); + for (; state->y < state->ysize; state->y += rows_per_strip) { + img.row_offset = state->y; + rows_to_read = min(rows_per_strip, img.height - state->y); + if (TIFFRGBAImageGet(&img, (UINT32 *)state->buffer, img.width, rows_to_read) == -1) { + TRACE(("Decode Error, y: %d\n", state->y )); + state->errcode = IMAGING_CODEC_BROKEN; TIFFRGBAImageEnd(&img); - } else { - ok = 0; + TIFFClose(tiff); + return -1; } - if (ok == 0) { - TRACE(("Decode Error, row %d; msg: %s\n", row, emsg)); - return -1; + TRACE(("Decoded strip for row %d \n", state->y)); + + // iterate over each row in the strip and stuff data into image + for (strip_row = 0; strip_row < min((INT32) rows_per_strip, state->ysize - state->y); strip_row++) { + TRACE(("Writing data into line %d ; \n", state->y + strip_row)); + + // UINT8 * bbb = state->buffer + strip_row * (state->bytes / rows_per_strip); + // TRACE(("chars: %x %x %x %x\n", ((UINT8 *)bbb)[0], ((UINT8 *)bbb)[1], ((UINT8 *)bbb)[2], ((UINT8 *)bbb)[3])); + + state->shuffle((UINT8*) im->image[state->y + state->yoff + strip_row] + + state->xoff * im->pixelsize, + state->buffer + strip_row * row_byte_size, + state->xsize); } + } + TIFFRGBAImageEnd(&img); + return 0; +} - return 0; +int _decodeStrip(Imaging im, ImagingCodecState state, TIFF *tiff) { + INT32 strip_row; + UINT8 *new_data; + UINT32 rows_per_strip, row_byte_size; + int ret; + + ret = TIFFGetField(tiff, TIFFTAG_ROWSPERSTRIP, &rows_per_strip); + if (ret != 1) { + rows_per_strip = state->ysize; + } + TRACE(("RowsPerStrip: %u \n", rows_per_strip)); + + // We could use TIFFStripSize, but for YCbCr data it returns subsampled data size + row_byte_size = (state->xsize * state->bits + 7) / 8; + + /* overflow check for realloc */ + if (INT_MAX / row_byte_size < rows_per_strip) { + state->errcode = IMAGING_CODEC_MEMORY; + TIFFClose(tiff); + return -1; + } + + state->bytes = rows_per_strip * row_byte_size; + + TRACE(("StripSize: %d \n", state->bytes)); + + if (TIFFStripSize(tiff) > state->bytes) { + // If the strip size as expected by LibTiff isn't what we're expecting, abort. + // man: TIFFStripSize returns the equivalent size for a strip of data as it would be returned in a + // call to TIFFReadEncodedStrip ... + + state->errcode = IMAGING_CODEC_MEMORY; + TIFFClose(tiff); + return -1; } - if (TIFFReadEncodedStrip(tiff, TIFFComputeStrip(tiff, row, 0), (tdata_t)buffer, -1) == -1) { - TRACE(("Decode Error, strip %d\n", TIFFComputeStrip(tiff, row, 0))); + /* realloc to fit whole strip */ + /* malloc check above */ + new_data = realloc (state->buffer, state->bytes); + if (!new_data) { + state->errcode = IMAGING_CODEC_MEMORY; + TIFFClose(tiff); return -1; } + state->buffer = new_data; + + for (; state->y < state->ysize; state->y += rows_per_strip) { + if (TIFFReadEncodedStrip(tiff, TIFFComputeStrip(tiff, state->y, 0), (tdata_t)state->buffer, -1) == -1) { + TRACE(("Decode Error, strip %d\n", TIFFComputeStrip(tiff, state->y, 0))); + state->errcode = IMAGING_CODEC_BROKEN; + TIFFClose(tiff); + return -1; + } + + TRACE(("Decoded strip for row %d \n", state->y)); + + // iterate over each row in the strip and stuff data into image + for (strip_row = 0; strip_row < min((INT32) rows_per_strip, state->ysize - state->y); strip_row++) { + TRACE(("Writing data into line %d ; \n", state->y + strip_row)); + + // UINT8 * bbb = state->buffer + strip_row * (state->bytes / rows_per_strip); + // TRACE(("chars: %x %x %x %x\n", ((UINT8 *)bbb)[0], ((UINT8 *)bbb)[1], ((UINT8 *)bbb)[2], ((UINT8 *)bbb)[3])); + + state->shuffle((UINT8*) im->image[state->y + state->yoff + strip_row] + + state->xoff * im->pixelsize, + state->buffer + strip_row * row_byte_size, + state->xsize); + } + } return 0; } @@ -294,6 +421,9 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_ char *filename = "tempfile.tif"; char *mode = "r"; TIFF *tiff; + uint16 photometric = 0; // init to not PHOTOMETRIC_YCBCR + int isYCbCr = 0; + int ret; /* buffer is the encoded file, bytes is the length of the encoded file */ /* it all ends up in state->buffer, which is a uint8* from Imaging.h */ @@ -354,6 +484,10 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_ } } + + TIFFGetField(tiff, TIFFTAG_PHOTOMETRIC, &photometric); + isYCbCr = photometric == PHOTOMETRIC_YCBCR; + if (TIFFIsTiled(tiff)) { INT32 x, y, tile_y; UINT32 tile_width, tile_length, current_tile_width, row_byte_size; @@ -429,75 +563,13 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_ } } } else { - INT32 strip_row; - UINT8 *new_data; - UINT32 rows_per_strip, row_byte_size; - int ret; - - ret = TIFFGetField(tiff, TIFFTAG_ROWSPERSTRIP, &rows_per_strip); - if (ret != 1) { - rows_per_strip = state->ysize; - } - TRACE(("RowsPerStrip: %u \n", rows_per_strip)); - - // We could use TIFFStripSize, but for YCbCr data it returns subsampled data size - row_byte_size = (state->xsize * state->bits + 7) / 8; - - /* overflow check for realloc */ - if (INT_MAX / row_byte_size < rows_per_strip) { - state->errcode = IMAGING_CODEC_MEMORY; - TIFFClose(tiff); - return -1; - } - - state->bytes = rows_per_strip * row_byte_size; - - TRACE(("StripSize: %d \n", state->bytes)); - - if (TIFFStripSize(tiff) > state->bytes) { - // If the strip size as expected by LibTiff isn't what we're expecting, abort. - // man: TIFFStripSize returns the equivalent size for a strip of data as it would be returned in a - // call to TIFFReadEncodedStrip ... - - state->errcode = IMAGING_CODEC_MEMORY; - TIFFClose(tiff); - return -1; - } - - /* realloc to fit whole strip */ - /* malloc check above */ - new_data = realloc (state->buffer, state->bytes); - if (!new_data) { - state->errcode = IMAGING_CODEC_MEMORY; - TIFFClose(tiff); - return -1; + if (!isYCbCr) { + ret = _decodeStrip(im, state, tiff); } - - state->buffer = new_data; - - for (; state->y < state->ysize; state->y += rows_per_strip) { - if (ReadStrip(tiff, state->y, (UINT32 *)state->buffer) == -1) { - TRACE(("Decode Error, strip %d\n", TIFFComputeStrip(tiff, state->y, 0))); - state->errcode = IMAGING_CODEC_BROKEN; - TIFFClose(tiff); - return -1; - } - - TRACE(("Decoded strip for row %d \n", state->y)); - - // iterate over each row in the strip and stuff data into image - for (strip_row = 0; strip_row < min((INT32) rows_per_strip, state->ysize - state->y); strip_row++) { - TRACE(("Writing data into line %d ; \n", state->y + strip_row)); - - // UINT8 * bbb = state->buffer + strip_row * (state->bytes / rows_per_strip); - // TRACE(("chars: %x %x %x %x\n", ((UINT8 *)bbb)[0], ((UINT8 *)bbb)[1], ((UINT8 *)bbb)[2], ((UINT8 *)bbb)[3])); - - state->shuffle((UINT8*) im->image[state->y + state->yoff + strip_row] + - state->xoff * im->pixelsize, - state->buffer + strip_row * row_byte_size, - state->xsize); - } + else { + ret = _decodeStripYCbCr(im, state, tiff); } + if (ret == -1) { return ret; } } TIFFClose(tiff); From 45a62e91b1f72e79989a7919af97b062dc8dfaf4 Mon Sep 17 00:00:00 2001 From: wiredfool Date: Sun, 1 Nov 2020 16:25:31 +0000 Subject: [PATCH 2/2] Rework ReadTile * Don't malloc for the swap line, just shuffle backwards * Ensure that im->pixelsize is sanity checked * Ensure that we're using the right size for the buffer from TiffReadRGBATile --- src/libImaging/TiffDecode.c | 166 ++++++++++++++---------------------- 1 file changed, 62 insertions(+), 104 deletions(-) diff --git a/src/libImaging/TiffDecode.c b/src/libImaging/TiffDecode.c index 2684b9e28bd..5cbbe7380ea 100644 --- a/src/libImaging/TiffDecode.c +++ b/src/libImaging/TiffDecode.c @@ -181,63 +181,6 @@ int ImagingLibTiffInit(ImagingCodecState state, int fp, uint32 offset) { } -int ReadTile(TIFF* tiff, UINT32 col, UINT32 row, UINT32* buffer) { - uint16 photometric = 0; - - TIFFGetField(tiff, TIFFTAG_PHOTOMETRIC, &photometric); - - // To avoid dealing with YCbCr subsampling, let libtiff handle it - if (photometric == PHOTOMETRIC_YCBCR) { - UINT32 tile_width, tile_height, swap_line_size, i_row; - UINT32* swap_line; - - TIFFGetField(tiff, TIFFTAG_TILEWIDTH, &tile_width); - TIFFGetField(tiff, TIFFTAG_TILELENGTH, &tile_height); - - swap_line_size = tile_width * sizeof(UINT32); - if (tile_width != swap_line_size / sizeof(UINT32)) { - return -1; - } - - /* Read the tile into an RGBA array */ - if (!TIFFReadRGBATile(tiff, col, row, buffer)) { - return -1; - } - - swap_line = (UINT32*)malloc(swap_line_size); - if (swap_line == NULL) { - return -1; - } - /* - * For some reason the TIFFReadRGBATile() function chooses the - * lower left corner as the origin. Vertically mirror scanlines. - */ - for(i_row = 0; i_row < tile_height / 2; i_row++) { - UINT32 *top_line, *bottom_line; - - top_line = buffer + tile_width * i_row; - bottom_line = buffer + tile_width * (tile_height - i_row - 1); - - memcpy(swap_line, top_line, 4*tile_width); - memcpy(top_line, bottom_line, 4*tile_width); - memcpy(bottom_line, swap_line, 4*tile_width); - } - - free(swap_line); - - return 0; - } - - if (TIFFReadTile(tiff, (tdata_t)buffer, col, row, 0, 0) == -1) { - TRACE(("Decode Error, Tile at %dx%d\n", col, row)); - return -1; - } - - TRACE(("Successfully read tile at %dx%d; \n\n", col, row)); - - return 0; -} - int _decodeStripYCbCr(Imaging im, ImagingCodecState state, TIFF *tiff) { // To avoid dealing with YCbCr subsampling, let libtiff handle it // Use a TIFFRGBAImage wrapping the tiff image, and let libtiff handle @@ -250,7 +193,6 @@ int _decodeStripYCbCr(Imaging im, ImagingCodecState state, TIFF *tiff) { int ret; TIFFRGBAImage img; char emsg[1024] = ""; - int ok; ret = TIFFGetFieldDefaulted(tiff, TIFFTAG_ROWSPERSTRIP, &rows_per_strip); if (ret != 1) { @@ -261,7 +203,7 @@ int _decodeStripYCbCr(Imaging im, ImagingCodecState state, TIFF *tiff) { if (!(TIFFRGBAImageOK(tiff, emsg) && TIFFRGBAImageBegin(&img, tiff, 0, emsg))) { TRACE(("Decode error, msg: %s", emsg)); state->errcode = IMAGING_CODEC_BROKEN; - TIFFClose(tiff); + // nothing to clean up, just return return -1; } @@ -272,17 +214,13 @@ int _decodeStripYCbCr(Imaging im, ImagingCodecState state, TIFF *tiff) { TRACE(("Inconsistent Image Error: %d =? %d, %d =? %d", state->xsize, img.width, state->ysize, img.height)); state->errcode = IMAGING_CODEC_BROKEN; - TIFFRGBAImageEnd(&img); - TIFFClose(tiff); - return -1; + goto decodeycbcr_err; } /* overflow check for row byte size */ if (INT_MAX / 4 < img.width) { state->errcode = IMAGING_CODEC_MEMORY; - TIFFRGBAImageEnd(&img); - TIFFClose(tiff); - return -1; + goto decodeycbcr_err; } // TiffRGBAImages are 32bits/pixel. @@ -291,9 +229,7 @@ int _decodeStripYCbCr(Imaging im, ImagingCodecState state, TIFF *tiff) { /* overflow check for realloc */ if (INT_MAX / row_byte_size < rows_per_strip) { state->errcode = IMAGING_CODEC_MEMORY; - TIFFRGBAImageEnd(&img); - TIFFClose(tiff); - return -1; + goto decodeycbcr_err; } state->bytes = rows_per_strip * row_byte_size; @@ -305,9 +241,7 @@ int _decodeStripYCbCr(Imaging im, ImagingCodecState state, TIFF *tiff) { new_data = realloc (state->buffer, state->bytes); if (!new_data) { state->errcode = IMAGING_CODEC_MEMORY; - TIFFRGBAImageEnd(&img); - TIFFClose(tiff); - return -1; + goto decodeycbcr_err; } state->buffer = new_data; @@ -319,9 +253,7 @@ int _decodeStripYCbCr(Imaging im, ImagingCodecState state, TIFF *tiff) { if (TIFFRGBAImageGet(&img, (UINT32 *)state->buffer, img.width, rows_to_read) == -1) { TRACE(("Decode Error, y: %d\n", state->y )); state->errcode = IMAGING_CODEC_BROKEN; - TIFFRGBAImageEnd(&img); - TIFFClose(tiff); - return -1; + goto decodeycbcr_err; } TRACE(("Decoded strip for row %d \n", state->y)); @@ -339,7 +271,12 @@ int _decodeStripYCbCr(Imaging im, ImagingCodecState state, TIFF *tiff) { state->xsize); } } - TIFFRGBAImageEnd(&img); + + decodeycbcr_err: + TIFFRGBAImageEnd(&img); + if (state->errcode != 0) { + return -1; + } return 0; } @@ -361,7 +298,6 @@ int _decodeStrip(Imaging im, ImagingCodecState state, TIFF *tiff) { /* overflow check for realloc */ if (INT_MAX / row_byte_size < rows_per_strip) { state->errcode = IMAGING_CODEC_MEMORY; - TIFFClose(tiff); return -1; } @@ -375,7 +311,6 @@ int _decodeStrip(Imaging im, ImagingCodecState state, TIFF *tiff) { // call to TIFFReadEncodedStrip ... state->errcode = IMAGING_CODEC_MEMORY; - TIFFClose(tiff); return -1; } @@ -384,7 +319,6 @@ int _decodeStrip(Imaging im, ImagingCodecState state, TIFF *tiff) { new_data = realloc (state->buffer, state->bytes); if (!new_data) { state->errcode = IMAGING_CODEC_MEMORY; - TIFFClose(tiff); return -1; } @@ -394,7 +328,6 @@ int _decodeStrip(Imaging im, ImagingCodecState state, TIFF *tiff) { if (TIFFReadEncodedStrip(tiff, TIFFComputeStrip(tiff, state->y, 0), (tdata_t)state->buffer, -1) == -1) { TRACE(("Decode Error, strip %d\n", TIFFComputeStrip(tiff, state->y, 0))); state->errcode = IMAGING_CODEC_BROKEN; - TIFFClose(tiff); return -1; } @@ -423,7 +356,6 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_ TIFF *tiff; uint16 photometric = 0; // init to not PHOTOMETRIC_YCBCR int isYCbCr = 0; - int ret; /* buffer is the encoded file, bytes is the length of the encoded file */ /* it all ends up in state->buffer, which is a uint8* from Imaging.h */ @@ -480,7 +412,7 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_ rv = TIFFSetSubDirectory(tiff, ifdoffset); if (!rv){ TRACE(("error in TIFFSetSubDirectory")); - return -1; + goto decode_err; } } @@ -490,7 +422,7 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_ if (TIFFIsTiled(tiff)) { INT32 x, y, tile_y; - UINT32 tile_width, tile_length, current_tile_width, row_byte_size; + UINT32 tile_width, tile_length, current_tile_length, current_line, current_tile_width, row_byte_size; UINT8 *new_data; TIFFGetField(tiff, TIFFTAG_TILEWIDTH, &tile_width); @@ -499,18 +431,26 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_ /* overflow check for row_byte_size calculation */ if ((UINT32) INT_MAX / state->bits < tile_width) { state->errcode = IMAGING_CODEC_MEMORY; - TIFFClose(tiff); - return -1; + goto decode_err; } - // We could use TIFFTileSize, but for YCbCr data it returns subsampled data size - row_byte_size = (tile_width * state->bits + 7) / 8; + + if (isYCbCr) { + row_byte_size = tile_width * 4; + /* sanity check, we use this value in shuffle below */ + if (im->pixelsize != 4) { + state->errcode = IMAGING_CODEC_BROKEN; + goto decode_err; + } + } else { + // We could use TIFFTileSize, but for YCbCr data it returns subsampled data size + row_byte_size = (tile_width * state->bits + 7) / 8; + } /* overflow check for realloc */ if (INT_MAX / row_byte_size < tile_length) { state->errcode = IMAGING_CODEC_MEMORY; - TIFFClose(tiff); - return -1; + goto decode_err; } state->bytes = row_byte_size * tile_length; @@ -518,8 +458,7 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_ if (TIFFTileSize(tiff) > state->bytes) { // If the strip size as expected by LibTiff isn't what we're expecting, abort. state->errcode = IMAGING_CODEC_MEMORY; - TIFFClose(tiff); - return -1; + goto decode_err; } /* realloc to fit whole tile */ @@ -527,8 +466,7 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_ new_data = realloc (state->buffer, state->bytes); if (!new_data) { state->errcode = IMAGING_CODEC_MEMORY; - TIFFClose(tiff); - return -1; + goto decode_err; } state->buffer = new_data; @@ -537,26 +475,46 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_ for (y = state->yoff; y < state->ysize; y += tile_length) { for (x = state->xoff; x < state->xsize; x += tile_width) { - if (ReadTile(tiff, x, y, (UINT32*) state->buffer) == -1) { - TRACE(("Decode Error, Tile at %dx%d\n", x, y)); - state->errcode = IMAGING_CODEC_BROKEN; - TIFFClose(tiff); - return -1; + if (isYCbCr) { + /* To avoid dealing with YCbCr subsampling, let libtiff handle it */ + if (!TIFFReadRGBATile(tiff, x, y, (UINT32 *)state->buffer)) { + TRACE(("Decode Error, Tile at %dx%d\n", x, y)); + state->errcode = IMAGING_CODEC_BROKEN; + goto decode_err; + } + } else { + if (TIFFReadTile(tiff, (tdata_t)state->buffer, x, y, 0, 0) == -1) { + TRACE(("Decode Error, Tile at %dx%d\n", x, y)); + state->errcode = IMAGING_CODEC_BROKEN; + goto decode_err; + } } TRACE(("Read tile at %dx%d; \n\n", x, y)); current_tile_width = min((INT32) tile_width, state->xsize - x); - + current_tile_length = min((INT32) tile_length, state->ysize - y); // iterate over each line in the tile and stuff data into image - for (tile_y = 0; tile_y < min((INT32) tile_length, state->ysize - y); tile_y++) { + for (tile_y = 0; tile_y < current_tile_length; tile_y++) { TRACE(("Writing tile data at %dx%d using tile_width: %d; \n", tile_y + y, x, current_tile_width)); // UINT8 * bbb = state->buffer + tile_y * row_byte_size; // TRACE(("chars: %x%x%x%x\n", ((UINT8 *)bbb)[0], ((UINT8 *)bbb)[1], ((UINT8 *)bbb)[2], ((UINT8 *)bbb)[3])); - + /* + * For some reason the TIFFReadRGBATile() function + * chooses the lower left corner as the origin. + * Vertically mirror by shuffling the scanlines + * backwards + */ + + if (isYCbCr) { + current_line = tile_length - tile_y - 1; + } else { + current_line = tile_y; + } + state->shuffle((UINT8*) im->image[tile_y + y] + x * im->pixelsize, - state->buffer + tile_y * row_byte_size, + state->buffer + current_line * row_byte_size, current_tile_width ); } @@ -564,14 +522,14 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_ } } else { if (!isYCbCr) { - ret = _decodeStrip(im, state, tiff); + _decodeStrip(im, state, tiff); } else { - ret = _decodeStripYCbCr(im, state, tiff); + _decodeStripYCbCr(im, state, tiff); } - if (ret == -1) { return ret; } } + decode_err: TIFFClose(tiff); TRACE(("Done Decoding, Returning \n")); // Returning -1 here to force ImageFile.load to break, rather than